The following is a piece that was originally written for Network World’s Security Newsletter and published in March of 2006.  It was a collaborative effort between Joe Faraone, a close friend, and I.  The issue we touched on really hasn’t gone away so I thought that I’d dust it off and update it a bit. 

Sometimes we hear senior managers and executives expressing frustration with government regulation by saying that the issue has come down to a choice of either being secure or being compliant.  In fact Compliance remains the number one driver of information security as reported in the 10^th Annual Global Information Security Survey conducted by Ernst & Young. 

This is consistent with the article that sparked the original version of this post.  That was an Information Security Magazine article from October 2005 in which security managers were asked to respond to the question, “What is your biggest obstacle to implementing and managing security related government regulations?” Responses reveal that the top two obstacles faced were unclear compliance related responsibilities and interpreting regulatory language. This point of view appears to be more prevalent in the private sector than the public sector.

One of the reasons for this discrepancy is that the public sector must follow a specific framework for measuring the maturity and effectiveness of its information security programs: certification and accreditation (C&A). The Federal Information Security Management Act of 2002 (FISMA) was intended to provide for the development of and maintenance of minimum controls required to protect information systems and to provide for a framework for ensuring the effectiveness of these controls. While many of the overriding principles followed in C&A are contained within the law, nowhere are the words “certification” or “accreditation” found.

FISMA points to the Office of Management and Budget (OMB) as well as the National Institute of Standards and Technology (NIST) to obtain guidance. OMB has issued its Circular A130, which requires that all federal information systems to be certified and accredited following guidelines developed by NIST.

Now the C&A process has gotten a lot of bad press, some of it well deserved but coming from someone who has worked with the process in one form or another for the past ten years I’d say that it comes down to a matter of implementation rather than issues with the process itself.  If the process is viewed as just another paper exercise intended to satisfy auditors then it is a waste of time but it is also missing the forest for the trees. 

NIST has done a laudable job of developing and revising this guidance. It provides a methodology to fully document, measure, assess, track and report on the health of information systems from the aspect of security. These guidelines show how to integrate an information security program with the systems development lifecycle as well as how to test the implemented controls.

Those in the private sector are probably wondering why this should be important to them.  Many argue that the control sets mandated by the process are too much for a private sector environment.  Implementing the full set of baseline controls would be too costly and provide little ROI others say.  Again, my response is that you’re missing the forest for the trees.  The process itself is what is valuable here and is flexible enough to allow any set of requirements to be utilized not just the set of baseline controls provided by NIST. 

NIST publications and the methodology for conducting certification and accreditation are freely available and constitute an untapped publicly available security resource. Inputting the government regulations (Sarbanes Oxley, Health Insurance Portability and Accountability Act, etc.) into this framework allows the private sector to document, measure, assess, track and report upon the security posture of their information systems and how well government regulations are adhered to. The private sector can assess the maturity of their information security programs and determine how well these programs integrate into their overall business processes.

What is key for the private sector is that the process must be tailored to your environment and needs.  Herein lies the problem that has plagued C&A from its beginning – it is often applied improperly. 

When the emphasis is placed on being compliant, people go through the motions and focus on technology and checking boxes rather than leveraging the power of the framework to assess the effectiveness of their programs.

The two most basic elements of any system are often overlooked or underemphasized: the information being protected and the people who use the information. You can put in all the high security devices you want in a system, but if you do not account for the people who need to use the information system and the criticality of the information within the system, you still will not be secure.

If the C&A process is improperly applied then it does result in a lot of wasted time and paperwork. If it is properly applied then it becomes a wonderful tool to assess the effectiveness of your security controls – everything from policy and procedure down to control functionality and configuration.  It provides a holistic view of the network and security with the emphasis on being secure. Compliance is simply a milestone on that journey.

The beauty of this is that the information that you need to implement this framework is _free_ and fully available at the NIST Web site. Do you need to hire high priced consultants to come and set this up for you? No, you don’t. Although consultants can save you some time on the learning curve, the guidance available through NIST will allow you to begin the process on your own. You can then use consultants to give you an independent review of your program or to bolster areas where you might feel less comfortable. But remember that you must tailor this framework to fit your environment – use what works and make sense and discard that which does not.  (Sorry government readers – this doesn’t apply to you.  You don’t have the same latitude to do that as does the private sector.)

The CIO implementing this approach can concentrate on the details of how information is protected and used rather than scurrying about wondering how to bring order to the new herd of cats that legislation has unleashed.

Take the framework that NIST has so diligently given us, plug in the requirements that you are subject to, and then sit down with your network architects, your user representatives and your key project managers and find a way to work efficiently but securely. With the NIST framework, you will be able to assess, measure, track, and deliver a more secure and user friendly network and in the process, achieve compliance.  I have done this with amazing results so I know for a fact that it works. 

Alternatively, keep enjoying your view of the forest.

Tags: C&A, Compliance, Ernst & Young, FISMA, Information Security Magazine, Joe Faraone, Network World, NIST, OMB, Published

I’d like to apologize to everyone for being a bit lax over the last week or so.  When you start your own small business you must often wear many different hats.  It also means that there are often not that many people, if any at all, to delegate to.  I’ve spent the last week working on a few proposal responses so I have been writing – just not material for the blog. 

I also took a trip to Washington DC to meet with a few clients and potential clients.  I decided to stay with family which was nice but they don’t have Internet connectivity at their home.  I know that is a surprising thing in today’s world but they really don’t and I don’t think it is economical to get dial-up service for the few times that I’m there during the year.  (Does anyone else inwardly cringe when they hear the word dial-up?)

Now they have been trying to rectify the situation.  They live out in a rural area (as much as any area within the DC commuting area is still rural) so they have had to pay to have fiber run out to them.  Apparently it isn’t as easy as calling and having your local telecom run the line.  It takes some doing.  There is one group that comes out to run it down the public highway but they stop there.  Another group then must come out and run it up the driveway.  Since my family lives off a shared driveway this apparently requires two separate groups to run it up to their home.  One for the shared driveway and another for their private driveway.  And yet another group must then come and set it up in the house. 

Now it has been six months since this process has started.  I sat in the living room and could actually see the fiber sticking out of the ground down at the top of the shared driveway.  Just a little bit to go before it actually gets into to the house.  It was frustrating but not frustrating enough to pack up my laptop and head down to the Starbucks to pick up a wifi connection.  Hopefully the situation will be rectified before I go and visit in December. 

Anyway – I was able to locate a few old articles that I’ve dusted off to post here.  It feels a bit like cheating but I think the topics are still relevant and like I said I did spend a few minutes reworking them a bit.  Once I get this proposal put to bed this week I’ll work on a few posts for next week.  There is a lot of material just not enough time to get to it. 

Thanks for understanding.

In light of the recent upsurge in interest over the Insider Threat, I’ve decided to write a little about some of the various controls that can be put in place to minimize the risk posed by malicious insiders. 

(A note to small and medium sized businesses – our employees tend to wear “many different hats” as the saying goes and therefore pose much more of a risk than in larger organizations where duties are more segmented.  As such, when hiring or promoting someone into a position of trust, it may behoove you to dig a little deeper into their background.)    

Information Risk Management is about more than installing and monitoring a technological control.  Technological controls only constitute one-third of the equation.  The other two elements are People and Process.  It is important that we work with the HR and Legal departments to ensure that we adequately cover these elements.  We each have roles to play in protecting our organizations. 

One of the areas where information risk management can provide valuable input is in the area of personnel screening. (There are other areas that I’ll deal with in other blog posts)  Personnel screening involves the process of vetting individuals to ensure they meet a minimum set of requirements before they are given access to information systems.  What those requirements are varies by organization and can be influenced by laws, policies, regulations, standards, and guidelines.  HR and Legal may be up on the laws pertaining to employees and operating a company but they may not be as familiar with the regulations concerning the protection of information.   Even if an organization is not obligated to screen employees, it may be in their best interest to do so for roles designated as “Positions of Trust.”

Persons occupying “Positions of Trust” are those who have special duties or special access to information not available to other employees and are expected to exercise some sort of professional or managerial discretion.  Typically these employees receive less supervision than other employees.  Since an organization delegates authority to these individuals it should sufficient information at its disposal to make an informed decision. 

In order to do this an organization must first lay the appropriate ground work.  This includes reviewing their policy and procedures to make sure that they have a formal documented policy that addresses the purpose, scope, roles and responsibilities involved in instituting and enforcing personnel security measures.  The organizations commitment to security and how it intends to coordinate its actions among its various departments should also be clearly spelled out.

The next step would be to categorize all of its positions with regard to the authority they exercise.  Care must be taken here because it is easy to be too granular in this exercise.  Simple is better.  Various roles will emerge and as they do, the organization should establish screening criteria for individuals filling these roles.  For example:

All Employees

• Upon initial hire/promotion (and every two years thereafter)
• o Criminal History
• o Credit Check

All Managers (every two years)

• In addition to the requirements of all employees:
• o Professional Credential Check
• o Education Verification

Senior Manager/Corporate Officers (every two years)

• In addition to the requirements for managers:
• o Reference Interview
• o Civil Litigation Check

These are of course just examples and the details will vary by industry, business size, etc.   HR and Legal will have their own thoughts on what types of checks need to be done and since they are ultimately responsible for these activities the final decision must rest with them.  There are state and federal laws that pertain to background checks.  The Privacy Rights Clearinghouse does have a good summary page.  What is important from our perspective is that Information Risk Management has some input to the decision making process. 

HR and Legal also hold the ultimate responsible for ensuring that a formal sanction process is implemented for personnel failing to comply with established policies and procedures.  It should be included as part of the general personnel policies and procedures and specific enough to ensure equal treatment for all employees.  Phrases such as “Appropriate action may be taken” are not specific enough where as being too specific can tie an organizations hands.  My recommendation here is to make sure that the organization identifies the criteria for automatic termination and everything else can dealt with as “appropriate action.”  (I would also argue that the minimum that should be prescribed for a policy violation is a written reprimand placed in the employee’s record.)  Information Risk Management has the responsibility to detect and provide evidence of a violation but HR/Legal is the adjudicator.

Do you need to run a background check on every employee?  Laws and Regulations notwithstanding, I’d say no.  Depending on the size of your organization, the added expense may be cost prohibitive.  There are also legal concerns with the practice of personnel screening.  You should consult with your legal council before instituting any such program so that you know what your obligations and responsibilities are. 

On the whole, I think you will find that the benefits far outweigh the issues when it comes to personnel screening.

Tags: background check, personnel screening, position of trust

This is Part Three of a multi-part series on the Insider Threat.  I’m interested in what motivates this type of individual, the patterns of behavior, and what organizations can do to reduce the likelihood that a malicious insider can impact their business.  In Part One, I relayed my own story of experience with what was most likely a malicious insider.  In Part Two, I reviewed some research that examines the insider threat and the pattern of behavior exhibited by malicious insiders.  In Part Three I’ll examine what can be done to mitigate the threat malicious insiders pose to organizations. 

I’ll have to ask you to bear with me just a little longer concerning the academic material. I promise that I’ll show you how it can be applied to real life situations. 

We talked about the interrelated behavior loops that influence the behavior of the malicious insider and how these behavior loops interact and influence each other.  Ironically, the very actions of trust and empowerment that have proven so beneficial to workplace satisfaction and performance appear to be the very things that support the transformation of trusted insiders to malicious insiders (with the appropriate motivation of course).  Should we change the way we manage people and reduce the level of employee trust and empowerment in order to combat the insider threat?  Of course not but doesn’t mean that we can’t do anything about the malicious insider. 

 Typically this would be the beginning of a discussion about the technical tools used to monitor and control access to information but I am not going to talk about technical controls.  Technical controls only constitute one-third of the information security equation.  The other two parts are People and Process.  I am of the belief that effective information security is based first on the human element.   Successful information security/information risk management programs are build first on understanding the people using the information systems.  Then on the processes they use to accomplish their jobs (both manual and electronic).  Finally technological controls are chosen as appropriate for both the users and their processes. 

Let me start out with saying that there is no way that you will be able to totally eliminate the insider threat.  The concepts that I will be addressing are intended to reduce the risk to acceptable levels not eliminate it. 

One of the reasons the authors of Preliminary System Dynamics Maps of the Insider Cyber-threat Problem chose not to deal with what motivates a malicious insider is that there can be as many different motivators as there are malicious insiders.  If it is not efficient to focus on the individual then we must focus on how individuals act within our organizations.  That is the study of Social Cognition. 

Much of the understanding we have on this process can be tied to experiments of many psychologists and social scientists starting with the work of psychologist Stanley Milgram in the 1960’s and subsequently built upon over the years.  These experiments have lead to the development of five principles of social cognition:

• The Power of the Situation over Behavior,
• Blindness for Situational Influences,
• Social Perception and Self-Perception are Constructive Processes,
• Blindness for the Constructed Nature of Social and Self-Perception, and
• Self-Processes are Social.

I’ll be releasing a white paper shortly that discusses these principles in greater detail however what is important to this discussion is that individuals exhibit a tendency to conform their behavior to that of the groups to which they belong.  Another interesting aspect of this principle is that while group dynamics can alter individual reactions, these very same individuals tend to seek other individuals when in need rather than groups (Link A and Link B). What is surprising is that we (as individuals) are largely unaware of the influence that social situations have on their behavior. 

The next principles deal with how we interpret the world around us.  Studies have shown that our perception of the world is constructed by our understanding of abstract concepts; therefore, their environment is interpreted as direct perceptions of reality.  This can be illustrated by the interpersonal misunderstandings that can occur when people from different cultures interact.  (This can also be attributed to the “us versus them” attitude that we experience as information security professionals.) 

Individuals base their own self-knowledge much the same way they perceive the world around them.  In the same way that individuals are unaware that their interpretations of their environment are influenced by how they define abstract principles, these abstract concepts also influence an individual’s perception of self.

So what does all this mean? 

The practical application of these principles can increase the level of security or risk awareness within the organization by focusing our efforts on the group (individual behavior tends to conform to that of the larger group) and support this by instituting a mentor program to monitor individual development (individuals tend to seek other individuals when in need rather than groups). 

Since perception of the world around us (and of ourselves) is governed by our understanding of abstract concepts, we must institute programs to influence the abstract concepts of risk management within our organizations.  This means that we must directly address Corporate Culture.

Each organization has a unique persona.  Corporate Culture is a system of shared meaning held by the individuals who make up the corporation.  Changing corporate culture can be challenging and can be viewed similarly to product branding.  It conveys a sense of identity for its employees and facilitates a commitment to an overall goal or objective rather than individual goals and objectives. You must first accurately gauge what the organizations perceptions of information security are before you can design a program to alter these perceptions. 

This program must focus on an organization’s unique perceptions and include reinforcement (both positive and negative) in addition to education.  This is where most traditional security awareness and training programs fail.  They focus solely on training not on changing behavior.  The basic principles of information security have been taught to employees for so many years now that most employees could recite them from memory if asked.  The problem is that this knowledge is not translating into behavior. 

Using the concepts here we can influence the behavior maps that we discussed in Part Two.  We can keep the perception of risk high despite the high level of trust we want to foster in the environment.  This in turn helps to maintain adequate levels of funding and detective capability for information security.  A corporate culture that is risk-aware is also one that can positively influence a disgruntled insider so that they are less likely to become a malicious insider. 

At the end of the day there is no way to totally eliminate the insider threat however if we approach this problem in the right way we can stack the deck in our favor and reduce the risk to acceptable levels.

(FYI – If Social Cognition interests you as much as it interests me then I suggest that you start with an excellent article by Dr. Matthew Lieberman on the subject.)

Tags: behavior, corporate culture, culture, insider threat, malicious insider, People, perception, Process, reality, security awareness, security controls, social cognition, stanley milgram, technology, training, Trust

Over the years I have typically seen metrics that mean something to the network/IA staff but not to senior management.

When these metrics are given to C-Level executives they glass over and don’t really understand what they are being told. They rapidly try to figure out if a larger or smaller number is bad so they can attempt to put what they are given in some sort of context. The problem is that they become use to this and begin to rely on these numbers without really understanding what the numbers are really telling them. They think they understand but they don’t and as a result don’t give the priority to IA in the way they should if they really understood what they were being told.

We, as IA professionals, become complacent with this arrangement because that is what we are use to and our executives appear to understand. We confuse acceptance for understanding.

As IA professionals, we often only answer half of the question and totally forget about the business side of the equation. We need to understand our audience and frame our metrics in terms that they understand rather in terms that we understand. We need to find a way to both qualitatively and quantatively measure our success and translate that into business speak each and every time.

Think about it this way – we can create the business case for what we do each and every time we generate metrics without having to continuously try to convince others.

I believe it is important to measure what our management wants to see, it is equally important that we tell them what they need to measure. Now this may seem straightforward but I don’t just mean giving them answers to questions they haven’t asked and then trying to convince them that this information is important. What I mean is that we aim to provide the appropriate metrics with every project proposal we submit to management for funding. 

That would mean not just telling management that we want to be able to correlate and filter x number of log entries from y number of devices but that we want to be able to say reduce the number of false positive incidents by 25% resulting in a savings of z dollars per year by implementing a SEIM project.

As with most of our IA duties, the qualitative nature of our job makes the development of useful metrics often difficult. Yes we can calculate the number of viruses our desktop AV catches a week but is that really meaningful in the long run? It may be if we can tie that number into a formula that calculates response, recovery, and lost productivity numbers per virus outbreak.

I guess what I’m saying is that the actual measurement isn’t as important as constantly linking that information with figures that mean something to management. This is probably in line with Deming’s emphasis on controlling the process as it ties the process into terms that resonate in business terms.

Thoughts?

Tags: Edwards Deming, Metrics